Listen to this blog post below
The University of Waterloo computer scientists have discovered a unique cyberattack methodology that can break voice authentication security systems with an exceptional success rate of 99% within six attempts. It points to the fact that such systems are not entirely secure in front of malicious actors’ sophistication.
Cybersecurity implies securing your information systems and making it difficult for cyber attackers to infiltrate the network and access critical and protected data. It encompasses advanced cybersecurity tools like OTP (One-time Password), MFA (Multi-factor Authentication), biometrics, etc., to ensure that only genuine users access restricted network systems.
Voice authentication security systems are also handy in strengthening cybersecurity strategies. However, malicious actors have become smarter and more innovative in discovering ways to bypass voice authentication and access network systems.
Voice Authentication – The Concept
Organizations in the banking sector and other businesses where security is paramount increasingly adopt voice authentication as an additional security layer to grant access to authorized users. This cybersecurity strategy involves users repeating a specific phrase in their voice.
A computer security and privacy Ph.D. researcher, Andre Kassis, explains that the authentication system extracts a unique vocal signature from the words, also known as ‘voiceprint’, from the phrase and stores it on the central server.
This ‘voiceprint’ or voice signature can help authenticate genuine clients and authorize them to access network systems. The user is asked to repeat a different phrase when attempting future access to the system. The system extracts features from this voice recording and compares it with the stored voiceprint to determine whether the user can access it.
Image sourced from prnewswire.com
How Can Voice Authentication Help Secure Systems?
In this age of advanced technology, ensuring that only genuine users access network systems is crucial. Otherwise, malicious actors can access network systems and launch ransomware attacks or compromise confidential and critical data assets.
Therefore, organizations have various cybersecurity tools in place to secure access to the network. Using multi-factor authentication (MFA) is one cybersecurity strategy where the user must provide additional confirmation to corroborate their credentials. It can be through randomly generated OTPs, fingerprint verification, or other biometric identification.
However, instances of malicious actors bypassing MFA are increasing because of technological advancements. Hence, more innovative methods like voice authentication can serve as better options to distinguish genuine users from malicious actors, as they can be more foolproof than methods like MFA.
How Have Cyberattackers Improved?
Very soon after the introduction of voice authentication technology, threat actors came up with methods to manipulate the voice samples of users. They could use ML-enabled ‘deepfake software’ to generate identical copies of the target’s voice sample using as little data as five minutes of recorder audio, rendering the security technology useless.
The Developer’s Response
Due to malicious actors’ innovativeness in breaking voice authentication, as mentioned above, developers have introduced additional tools called ‘spoofing countermeasures.‘
They are a series of cybersecurity checks that examine a speech sample to determine whether it is original or machine created. It ensures threat actors cannot easily break the voice authentication system with deepfake voice duplication attempts.
However, the University of Waterloo cybersecurity scientists have discovered a method of evading even ‘spoofing countermeasures’ and deceiving voice authentication security systems within six tries.
They identified specific markers in the deep fake audio that indicate it as computer-generated. They then developed a program to remove them and make them indistinguishable from authentic audio recordings. It means malicious actors can easily fool even the spoofing countermeasures by eliminating the elements from their deepfake voice imitations that help authentication systems identify it as fake.
The researchers tested the software against Amazon Connect’s Voice Authentication System and achieved a 10% success in one 4-second attack. They improved it to 40% with less than half a minute of audio. When used against less sophisticated voice authentication cybersecurity systems, the program achieved 99% accuracy within six attempts.
So, Is Voice Authentication a Reliable Cybersecurity Tool?
Kassis says that something is always better than nothing. The voice authentication security system might not be fully cyberattack-proof, but it is always better than having no security measures. Besides, the research shows that existing spoofing countermeasures need to be revised.
Voice authentication should not be the sole authentication method. It is good security and provides adequate ransomware protection if you can use it as a safeguard in addition to other cybersecurity measures. It is still better than many anti-phishing services organizations use as cybersecurity tools.
Kassis opines that thinking like a malicious actor is the best way to develop a cybersecurity strategy. That gives you the edge because if you do not do so, you are a sitting duck for cyberattacks.
Urs Hengartner, Kassis’ supervisor and computer science professor, adds that this study should encourage organizations relying on voice authentication security systems to deploy additional or more robust authentication measures.
Such a step is necessary because this research has proved that voice authentication alone is an inadequate cybersecurity strategy, making network systems relying on no other authentication mode vulnerable to cyberattacks.
The best way to devise new cybersecurity strategies is to think like a threat actor. This outlook provides insights into how malicious actors think and plan cyberattacks. While it exposes the network system’s vulnerabilities, it also offers insights into formulating effective strategies to plug the gaps and prevent cyberattacks.
This research on voice authentication vulnerabilities is a welcome step in the right direction. The research findings titled ‘Breaking Security-Critical Voice Authentication’ by Andre Kassis and Dr. Urs Hengartner were published in the 44th IEEE Symposium on Security and Privacy’s proceedings.